Hackers Beware

To make matters worse, we have been using the term friends, but they do not have to be friends, for that matter they do not even need to know that they are helping the attacker. What if an attacker tried to break into a network each evening and when they were successful they installed a program that they controlled. After breaking into 15 or 20 fairly large companies, an attacker could then use those machines to coordinate attacks against other networks. Chapter 6 covers Denial of Service and distributed Denial of Service attacks, which are examples of coordinated attacks. Programs such as Tribal Flood Network 2000 (TFN2K) are very powerful programs that are easy to use for these types of attacks.

Session Hijacking

In some instances, it is easier to sneak in as a legitimate user, rather than break into a system directly. The basic technique is called session hijacking and it works by finding an established session and then taking over that session after a legitimate user has gained access and authentication. Once a user is logged on, an attacker can take over the session and stay connected for several hours—plenty of time to gain additional access or plant backdoors.

Session hijacking looks fairly simple on paper but is complicated to implement for several reasons. One of the main reasons is that since an attacker is taking over an existing session they must impersonate the legitimate user. This means getting all the traffic that is routed to their IP address to come to the hackers system. Chapter 5, “Session Hijacking,” addresses these types of attacks in detail.

Spoofing

Spoofing is a term that describes the act of impersonating or assuming an identity that is not your own. In the case of Internet attacks, this identity can be an email address, user ID, IP address, and so on. This becomes important when an attacker is exploiting trust relationships. On many systems, especially UNIX, multiple systems are usually setup with trust relationships. The logic is that if a company has ten development boxes, it is inefficient for a developer to have to logon to every single box with different passwords in order to perform their job. A better way would be to have the individual logon to one machine and have all of the other machines trust each other. What this means is that if a user is authenticated by one machine, every other machine that has a trust relationship setup will automatically trust that user without having them reauthenticate. From a functionality standpoint, this saves a lot of time. From a security standpoint, if it is not setup correctly, it can be a nightmare.

Spoofing can be considered as more of a passive attack than session hijacking. With session hijacking, an attacker takes over an existing

session and actively takes a user offline. With spoofing, an attacker takes advantage of an implied trust relationship between people and/or machines and fools them into trusting him. Chapter 4, “Spoofing,” looks at various spoofing attacks in detail.

Relaying

In most cases, when an attacker breaks into a network or a machine and launches various other attacks like email spoofing, they do not want the attack to be traced back to them. This creates an interesting dilemma, since the attacker now has to perform an attack using his computer without anyone knowing it was him. There are several ways this can be done, but a popular way is by relaying. Relaying is where an attacker relays or bounces his traffic through a third party’s machine so the attack looks like it came from the third party, not him. This creates an interesting problem for the victim. How is the company supposed to take action if they can never identify who the real attacker is? Now we are starting to see why there is such a big problem and why attackers use these techniques to hide their presence.

A popular type of relaying attack is email relaying. What this involves is connecting to another individual’s email system and using their computer to send email to someone else. To test if your system allows relaying, try to connect to your mail server from an outside address and send an email to a foreign email address. If you do not receive the following message, your system allows relaying:

Server error: Can't send to ".". The server gives this reason: "550 Relaying

is prohibited"

Trojan Horses or Viruses

Trojan horses can cause extensive damage due to the following quality which they possess: they have both an overt and a covert function. The overt function can be anything that the target victim would find interesting. A perfect example is seen around the holiday season. People send around the animated jpgs that have things like dancing reindeers. Users cannot resist the urge to pass these on and open them on their own machines. This becomes a problem when we bring the covert function into the equation. The covert function is launched when the overt function is being executed, so most users do not even know that it is happening. They think they are running an entertaining file, and in reality they are infecting their machine and their friends are doing the same. A common use of Trojan horses is to install backdoors so that a user can get back into the system at a later time.

If you have a computer or have worked in the computer industry for at least the last year, viruses should require no introduction. Computer viruses are like human viruses, there goal is to infect as many hosts or computers as possible. Once a computer becomes infected, it becomes a carrier to infect other hosts. The impact from viruses can range from annoying to extremely dangerous. Some emails will just pop-up a funny or annoying message. Other viruses will delete entire hard drives and crash systems. The most popular ones (at the time this book is being written) are email viruses. These viruses are embedded within an attachment that is sent with an email. When the recipient opens the attachment, it launches the virus.

Over the LAN

Let’s move a little closer and look at attacks that occur over a LAN, which are usually more detrimental because most companies’ security is set up in a way that it assumes that those with local access to the LAN, such as employees, can be trusted. This is dangerous for two reasons. First, a large number of attacks come from trusted insiders. Second, attackers can gain access to the LAN by breaking into a legitimate user’s account and gain the full access that a normal employee would have.

The following are some of the more popular types of attacks that occur over the LAN:

•Sniffing traffic

•Broadcasts

•File access

•Remote control

•Application hijacking

Sniffing Traffic

Sniffing traffic is a passive attack that involves watching all of the traffic that occurs on a network. Since it is a passive attack, some people overlook it saying that an attacker cannot do any damage to their network. This statement is not true. Yes, attackers cannot perform a Denial of Service attack or actively break into a machine, but they can find information that would make it much easier to gain access at a later date. Also, from a corporate espionage standpoint, someone can gain access to extremely sensitive files, which a company would have a hard time detecting. The following is sample output from a sniffer showing a telnet session:

12:13:33.589483 eth0 < 10.10.68.46.1796 > 10.10.68.48.telnet: S

win 8742 (DF)

12:13:33.634842 eth0 > 10.10.68.48.telnet > 10.10.68.46.1796: P 19:34(15) ack 23

win 32120 (DF)

12:13:33.638553 eth0 < 10.10.68.46.1796 > 10.10.68.48.telnet: P 23:26(3) ack 34

win 8727 (DF)

12:13:33.646469 eth0 > 10.10.68.48.telnet > 10.10.68.46.1796:

. 34:34(0) ack 26 win 32120 (DF)

12:13:33.646590 eth0 < 10.10.68.46.1796 > 10.10.68.48.telnet: P 26:38(12) ack 34

win 8727 (DF)

12:13:33.646816 eth0 > 10.10.68.48.telnet > 10.10.68.46.1796: P 34:109(75) ack 38

win 32120 (DF)

12:13:33.654531 eth0 < 10.10.68.46.1796 > 10.10.68.48.telnet: P 38:41(3) ack 109

win 8652 (DF)

12:13:33.654555 eth0 > 10.10.68.48.telnet > 10.10.68.46.1796: P 109:116(7) ack 41

win 32120 (DF)

12:13:33.654672 eth0 < 10.10.68.46.1796 > 10.10.68.48.telnet: P 41:44(3) ack 116

win 8645 (DF)

12:13:33.656454 eth0 > 10.10.68.48.telnet > 10.10.68.46.1796:

. 116:116(0) ack 44 win 32120 (DF)

It is important to point on that sniffing will only work on a network if the company is using a hub network. When connecting machines to a network a company basically has two options, they can either use a hub or a switch. A hub is older technology and works by receiving a packet from the sender and sending it to all machines connected to the hub. The recipient will receive the packet and process it, but all of the other machines on the network also receive it. For normal operations, a machine would look at the packet, realize it is not for them and drop it, but since each machine receives the packet there is opportunity for abuse if a network card is put in promiscuous mode.

A switch is a newer technology which is a little smarter than a hub. A switch determines what machines are connected to each port and will only send the packet to the recipient. This is good not only from a security standpoint, but from a bandwidth standpoint. It is good from a security standpoint since now, if a machine is sniffing the network, it will only see the packets that are sent from that machine or destined for that machine. Using switches increases the security, but with programs like Dsniff, an attacker can still potentially sniff the traffic. Dsniff will be covered later in the book.

From a bandwidth standpoint a switch has the potential to increase bandwidth since machines A and B are communicating and machines C and D have a separate communication, they can occur simultaneously. With the hub, every packet is sent to everyone so this does not work. If someone is using the network, no one else is able to.

Since most people do not encrypt traffic and they send sensitive information via the network or especially email, there are large amounts of information an attacker can pull off the network. One possible way to use a sniffer is to embed it with a Trojan horse program. The user would open this neat program to play a game and it would install a sniffer on their computer, which would send back all traffic to the attacker.

When I perform security assessments, one of the things I do is install a sniffer to see the impact this attack could have to a company. You would be amazed at the things that I find. I have captured user ids, passwords, sensitive files, proposals and even a couple of good recipes for banana foster. The point is, even if you have a switched environment you should encrypt any sensitive traffic on your network. It is just not worth the risk to do otherwise.

It is important to point out that even if you have a switched environment someone can still sniff the network. It is just a little harder since they need physical access to the machines. Most switches have a port that you can plug into which allows the machine to see all traffic. If someone can get access to the switch they can sniff the traffic (yet another reason for physical security).

In order for a network card to receive all traffic it has to be switched to a different mode, otherwise it drops packets not destined for the machine. Promiscuous mode is the mode that will allow the network card to receive all packets that are being sent on the network segment. In order to switch to this mode, you must install a driver for the network card. On a Windows machine clicking on the network icon, which is located under control panel, will allow you to do this.

Network AntiSniff

One question that most people ask is “How can I tell if a machine is in promiscuous mode?” Well, if you have physical access to the machine you could look at the settings for the network card. Over a network it is more difficult, but all is not lost thanks to the l0pht web site. www.l0pht.com has a program called AntiSniff that you can run to determine if a specified machine or group of machines have their network card in promiscuous mode. According to the website, “AntiSniff performs 3 classes of tests: operating system specific tests, DNS tests, and network latency tests.” All of the tests may be run together to give a high degree of certainty as to whether or not a computer is packet sniffing.

Anti-sniff is a great program, but it is important to realize that it is not 100 percent accurate. Based on the information it has gathered, it makes a best guess on whether the network interface card is sniffing traffic or not. Just by nature of how networks work, a machine could be in promiscuous mode and not be detected.

Broadcasts

All machines that are connected to the same network segment have to have the same network number. This is how TCP/IP works. Every IP address that is assigned to a machine has a network and a host portion. The network portion must be the same for all machines on the same network and the host portion must be unique for each host. For example, if the IP address is 25.10.5.50 and the subnet mask is 255.255.0.0, then the network number would be 25.10 and the unique host number would be 5.50. Therefore, any other machine on this network segment would have to start with 25.10. This scenario is similar to houses; any two houses on the same block must have the same street address but must also have different house numbers.

Normally, packets are sent to a single address, but there are times when packets want to be sent to all of the addresses on a network segment. One way to do this is to send a packet and put in the address of every machine on the segment. Except for very small segments, this is not practical. To overcome this, there is a property of TCP/IP called the broadcast address, which will send a packet to every machine on the network segment. Setting the host portion to all 1s or the broadcast address does this. Each octet in an IP address contains 8 bits, so in the previous example if we sent the host portion to all 1s we would get the following in binary: 11111111.11111111 which converted to decimal would give you 255.255. If we combined this with the network portion we would get 25.10.255.255, which represents the broadcast address for that

network segment. If a packet is sent to that address it goes to every single machine on that segment. If there are only 10 machines, it is probably not that big of a deal, but what if there are 60,000 machines? That could generate a lot of traffic and cause numerous problems. This is actually a common type of attack where an attacker sends a single packet to a broadcast address with the goal of generating so much traffic that it causes a Denial of Service attack against the network. If proper filtering is not applied at a company’s firewall or routers, this attack could also be performed via the Internet, but this is primarily performed on a LAN.

File Access

In most companies, passwords are the first and only line of defense against attacks. However, since most companies do not have proper access control lists which limit who can access what, if an attacker gains access (which is usually done through finding a user ID and password) they have all of the files on a network.

A common remark that I hear companies make is “we do not have any sensitive files and we do not care if anyone gains access to them.” A few years ago, I was performing an assessment for a company and I was in the briefing, discussing the results with the CEO, COO, and several other executives. I started by telling them how vulnerable they were; that people could access their files from the Internet; and that most of their passwords were guessable. The CEO’s comment was “so what?” He said that he did not care if the whole world had access to their data. I almost fell off my chair from the pure naiveté of this CEO. I quickly realized that no matter what I said at that point, the CEO did not care, so I decided to go back and put together some scenarios for him. A week later we went in and presented the following scenarios:

•Attackers broke into your systems and used them to compromise several systems at the Pentagon and it was traced back to your company and you were held liable.

•Front page of the Washington Post states that this company was successfully broken into and shows all of the sensitive files that were found.

•A competitor broke into their systems and accessed their proposal directory (yes, it was actually named this and accessible from the Internet) and started underbidding them and they lost several major contracts.

After this second briefing, the CEO grasped the extent of the problems and had a majority of them corrected immediately. In this example, the problem was that the CEO who owned the company just wanted to sell the company and did not want to spend any money. When we showed him that if he went out of business, there would be no company to sell, he

quickly changed his tune. The bottom line is, whether you realize it or not, if you are in business, you have sensitive information that needs to be protected from hostile file access.

Remote Control

If I want to gain access to a sensitive system I basically have two options: I can either gain physical access to the machine, or I can remotely control it over a network. Remotely controlling a machine involves controlling the machine over a network as if you were sitting at the machine. Later in this book, when we talk in detail about backdoors and Trojans, you will see examples of programs that will allow you to do this. One example is Back Orifice, which once it is installed on a machine will let you have full access to that machine. If proper filtering is not performed you can remotely control a machine over the Internet and, due to poor security, this is possible in many companies.

Application Hijacking

Application hijacking is similar in concept to session hijacking, which involves taking over an application and gaining unauthorized access. In many cases, if you can gain access to an application, you can access all the data that it has access to. In cases like word processors or spreadsheets it might not be that big a deal, but think about larger corporate applications like billing or HR systems. If an attacker can gain access to a billing system, they can acquire a lot of sensitive information about the company.

This is an area that a lot of companies miss. They worry about putting in firewalls and they are aware of their network security threats, but they totally ignore their applications. Especially from a corporate or business office standpoint, applications provide the gateway into a company’s most sensitive data. If you do not protect and properly secure these applications, all of the firewalls in the world will not help you.

Locally

If an attacker can gain local access to a computer or component of the network, he can cause the most damage. Depending on the size and weight of the component, one type of damage an attacker can cause is to steal the equipment (see the following sidebar, “Theft of Laptop Computers”). In this section, we will concentrate on attacks that require local access to the computer, but do not require the attacker to remove the equipment. The following are the types of local attacks:

•Shoulder surfing

•Unlocked terminals

•Written passwords

•Unplugging machines

•Local logon

Shoulder Surfing

Shoulder surfing is probably one of the most basic types of attacks, yet is extremely effective if you have physical access to a facility or a person with access. It involves looking over the shoulder or watching someone as they type in their password, with the goal of acquiring their password. If you make it extremely obvious that you are watching someone it probably will not work, but if you just look around for opportunities, there are plenty available to gather someone’s password. I had a friend that went to a bank to open a new account and as he was talking with the bank employee, they typed their password right in front of him. It would have been trivial for him to watch and record the password if he wanted to. Instead, he informed the person of their lack of security and they thanked him dearly. They were so happy with this new knowledge that they gave him a free account with a starting balance of $1,000 since he saved the bank so much money. Wouldn’t it be nice if the real world actually worked this way?

One of the tasks performed during an authorized security assessment is to see how vulnerable a company is to shoulder surfing. In order to do this you usually have to compromise physical security, which is a relatively elementary task at most companies. A simple example is to try to gain access between the hours of 8:00 a.m. and 9:00 a.m., when a lot of people are coming in to work. If you perform this in the winter when you need a coat and carry a box that appears to be heavy, you can get someone to let you in 9 times out of 10. In addition, most companies have employees that smoke and in most cases, they have to smoke outside. To facilitate this, they usually smoke in the back area of a building and prop a door opened so that they can get back in. If you can locate such an area you can easily gain access.

Now that we are in the building, we want to watch people type in passwords. This is very simple in a cubicle environment and a lot harder in an office layout. Even in an office environment, the administrative assistants usually have a cube or an open setting and they most likely will have more access than anyone in the company, as they maintain the passwords for the executive they work for. Also, since some people use screen savers with passwords, and since most people use the same password for the screen saver as they do for their network password this is another opportunity. Follow someone back to their desk and ask them for information that would require the computer. They will say one minute and as they type their password you can record it. If they do not have a screen saver password, when they step away from their desk you can turn